knowledge-base-qa-assistant

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only document Q&A skill that stores and indexes uploaded documents as expected, but users should be careful with sensitive files.

Before installing, decide where uploaded files, extracted text, metadata, and embeddings will be stored, who can query them, and whether deletion removes both documents and indexes. Avoid uploading confidential, regulated, legal, health, or proprietary material unless the storage, access controls, model/provider handling, retention, and audit requirements match your needs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill explicitly encourages users to upload enterprise and private documents, describes persistent storage under `knowledge_base/` and indexing for retrieval, but does not give a prominent upfront warning that uploaded content may contain sensitive data and will be stored and processed. In a knowledge-base/RAG context, this omission can lead to accidental ingestion of confidential, regulated, or proprietary data, increasing the risk of unauthorized retention, overexposure in answers, and downstream privacy or compliance violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal